It’s only a few months since I wrote on the subject of passwords – see this post on passwords – but I don’t apologise for returning to the subject. A client of mine (let’s call him Fred) has just had a very nasty experience and I believe that it was probably caused by his Gmail password being high on the list of “guessables” that should be avoided.

Some of the best-known of these are:

password (really. I know people who use this as a password)

123456

qwerty (yes, I’ve seen this one too)

654321

123abc

12345

wife’s, husband’s, daughter’s, son’s name

cat’s name (in my experience a VERY common choice)

dog’s name (nearly as popular as cat’s name)

It’s not for me to harangue people, and I’m not perfect with passwords, but let me tell you what happened to Fred and perhaps it will help you to “re-calibrate your priorities, online security-wise”.

Fred has (or HAD) a Gmail account. Luckily, he only uses (USED) it for email (and none of the other Google services such as AdWords advertising).

Someone hacked into his account. How? Well, they could have got his email address from loads of places. After that they only needed to go to www.google.co.uk, click the sign-in button at the top right, and start guessing some passwords. That’s all there is to it. Nothing more. No degrees in computer science, no password-cracking software. Just an email address and a few minutes to try some of the more popular guessable passwords.

Having got into his email account, the hacker then used both the email account and the list of email addresses he found in it to send harrowing, scary, extortionate emails (in Fred’s name, of course) to Fred’s correspondents, saying that he had been mugged, robbed, etc etc and “would you please send some money” …….

Having got into the account, the hacker changed the password, and also changed the “recovery email address” and the “security question”. Fred can not now get back into his own account.

So, his first problem is to contact everyone and put the record straight about the non-existent mugging. He can’t do that because all the email addresses are in his Gmail account and he can’t get back into it.

I don’t know how he solved that part of the problem, but he asked me to help him get his account back and I’ve had to tell him that we might never get it back. If this ever happens to you then you need to visit a Google web page here.

You then need to answer Google’s questions, as best you are able, to convince them that you are the true owner of your email address. They won’t discuss this on the phone. They won’t accept any form of proof of identity that you care to offer them. Either you can fill in the form in such a way that they are convinced you are the true owner or you have had it – you’ve lost your email address and the contents. What’s worse, of course, is that someone else now has control of it and can do further harm in your name.

And just in case you think it would be easy to just fill in a form, do you know, for instance, the exact day, month, and year that you opened your Gmail account? No: I thought not. “Ah”, you say, “I’ve probably got a dated sign-up email from Google or something”. Well, even if you have, you can’t get at it if you can only access your account by webmail. Doh!

And, just in case you think “there must be another way of getting back into it”, this is what Google says:

“We’re sorry to hear that you were unable to regain access to your account. If you didn’t fill out the account recovery form completely by providing your best guess to all the questions, please fill it out again. If you’ve provided your best guess for all questions and the information didn’t match our records, we’re unable to provide you access to the account. “ – source

I haven’t investigated whether webmail accounts other than Google’s are as difficult to recover as this. Whether they are or not, I could not recommend more strongly that you change your password if it’s so obvious that it could be guessed in less than, say, ten minutes of trying.

PS – I read that Twitter are now saving people from themselves by not allowing 370 of the most obvious passwords to be used on Twitter accounts – see this Telegraph article.

PPS: I don’t yet know if we can get back into Fred’s account. It’s still in the lap of the Gods (ie Google – same thing).

PPPS: It occurs to me that a good way of proving ownership would be to tell Google the answer to the security question, the recovery email address, the password etc as they were some time before the hacking. Surely Google must have some backups and history? I don’t know the answer to this and haven’t been able to find any reference to this approach anywhere.